Tuesday, July 21, 2009

How The Twitter Hack Did It

The French hacker, who goes by the nom de guerre of Hacker Croll, gave extensive details of his exploit to TechCrunch in a fascinating article last week.

Did he use fancy hacking tools? Was he a hi-tech evil genius? No, on both accounts and far from it. He used the same type of password reset features that another hacker in Tennessee used to crack Alaska Gov. Sarah Palin's e-mail account last year, when she was running for vice president.

Basically, what Croll did was gain access to the Gmail account of a Twitter employee. He used information publicly available on the web about Twitter and from social networking sites to gather enough possible responses to password reset questions.

This led to a dormant Hotmail account the Twitter employee had once used but now was long forgotten. By cracking that account, as well -- also using password hints from the same public sources -- Croll was able to control the back up account to the employee's Gmail e-mail. This way the employee wouldn't be tipped off to the changes by any notifications to the secondary Hotmail account.

Some lessons learned from the attack are to be extra careful what you put on social networking sites, including clues about jobs, addresses and names of children and pets, for example. Also, make sure to have complex passwords, and don't use the same passwords for every account.

In the case of the Twitter hack, Croll found that the employee had used the same password not only for e-mail but for personal and financial accounts, as well.

E-mail, Twitter, it doesn't matter. They don't have to be scary. Just follow some safe account maintenance and password practices.


Post a Comment

<< Home